On Wed, Jul 30, 2003 at 11:17:30PM +0800, Yusuf Goolamabbas wrote: > If I remove INET6 support from an OpenBSD 3.3-RELEASE kernel, would this > help pf become faster and states take lesser memory or do I have to > rebuild the world for this
Neither will reduce the memory size of a state entry, which is defined large enough to hold either type of addresses, no matter whether support for INET6 is compiled in or not. This could be changed, of course, but would make the code more complex. In the best case, you could reduce the size of a state entry to 25%, and handle four times the number of states with the same amount of RAM. If you're operating exactly within that 100-400% range where it matters, adding RAM is the cheapest solution. > I am looking to do lots of DNS queries from a set of machines behind an > OpenBSD bridging firewall and was wondering whether using stateful rules > would cause a lot of memory pressure and if I could alleviate it by > removing INET6 support from the kernel If you end up with several hundred thousand concurrent state entries for DNS queries/replies, and run out of memory, you might want to consider passing UDP DNS traffic statelessly. If by 'lots' you mean merely a couple of thousand concurrent states at any time, that won't be a problem, anyway. Daniel
